X11 forwards and libwrap support

Kevin Steves stevesk at pobox.com
Thu Nov 22 10:47:19 EST 2001


On Wed, 14 Nov 2001, Osmo Paananen wrote:
:Is there any reason why support for the libwrap code isn't included
:in the X11 forwarding code? I'd like to restrict access to that
:port.
:
:How many applications would break if the tcp port
:would be closed and only the unix-domain socket would be available?
:
:It's true that x11 forwardings can be considered as a security
:risk and they are disabled because of that by default.
:I think that the risk can be made (a bit) smaller if there were
:more controls available to restrict access to the forwarded ports.
:
:Another question: is it requirement that the forwarded X11 port is
:bound to * instead of specific interface?

ideally the sshd server x11 socket would be bound to loopback, but there
have been issues with different Xlib implementations not using TCP
transport and some xauth issues.  i believe these issues can be addressed
for openbsd and hopefully portable platforms that have a modern X11.
i think i have many but not all of the details worked out.




More information about the openssh-unix-dev mailing list